OWASP Security Testing Checklist: Complete 2026 Guide
Complete 2026 OWASP security testing checklist. OWASP Top 10 for web and API, hands-on test cases for SQL injection, XSS, BOLA, and security automation in CI/CD.

In this article
- Why OWASP security testing matters in 2026
- OWASP Top 10 (Web Applications, 2021)
- OWASP API Security Top 10 (2023)
- Tools for security testing
- How to test with OWASP ZAP
- Security test reporting (CVSS severity)
- Common OWASP security testing mistakes
- Continue your security testing journey
- Frequently asked questions
Last updated: June 29, 2026 · 9 min read
This OWASP security testing checklist gives you the complete framework for testing web applications and APIs in 2026 — covering the OWASP Top 10, the OWASP API Security Top 10, and hands-on test cases you can run today. For deeper tool walkthroughs, pair it with our Security Testing Tutorial and API Testing Tutorial.
Why OWASP security testing matters in 2026
- Average breach cost in 2026: $4.88 million (IBM)
- Regulatory pressure — GDPR, HIPAA, PCI-DSS, EU AI Act
- API is the new perimeter — 80%+ of attacks target APIs
- AI-generated code introduces new vulnerability classes — see our GitHub Copilot for QA guide.
OWASP Top 10 (Web Applications, 2021)
A01 — Broken Access Control
TC — User cannot access other user's data
1. Log in as User A (id=123)
2. Try GET /users/124/profile
3. Expected: 403 Forbidden
TC — Admin endpoint protected
1. Log in as regular user
2. Try POST /admin/users
3. Expected: 403 ForbiddenA02 — Cryptographic Failures
TC — HTTPS enforced
1. Navigate to http://example.com
2. Expected: Redirect to https://example.com
TC — HSTS header present
1. Inspect response headers
2. Expected: Strict-Transport-Security present
TC — Cookies have HttpOnly and Secure
1. Log in
2. Inspect cookies in DevTools
3. Expected: HttpOnly and Secure flags setA03 — Injection (SQL, NoSQL, LDAP, OS)
TC — SQL injection rejected
1. Enter ' OR '1'='1 as email
2. Expected: Validation error, no SQL executed
TC — XSS prevented
1. Enter <script>alert('xss')</script> as name
2. Expected: Script not rendered as code
TC — NoSQL injection rejected
1. Enter {"$gt": ""} as email
2. Expected: Validation errorA04 — Insecure Design
TC — Rate limiting on login
1. Submit wrong password 10 times
2. Expected: 429 Too Many Requests after threshold
TC — Critical ops require re-auth
1. Initiate password change
2. Expected: Re-authentication requiredA05 — Security Misconfiguration
TC — Default credentials don't work
1. Try admin/admin, root/root
2. Expected: Authentication fails
TC — Security headers present
1. Inspect response headers
2. Expected: CSP, X-Frame-Options, X-Content-Type-Options
TC — Stack traces not exposed
1. Trigger an error in production
2. Expected: Generic error page, no stack traceA06 — Vulnerable Components
TC — npm audit clean
1. Run npm audit
2. Expected: No high or critical vulnerabilities
TC — Dependencies within support window
1. List all dependencies
2. Expected: All within support windowA07 — Authentication Failures
TC — Password complexity enforced
1. Try password "123"
2. Expected: Rejected with complexity error
TC — Account lockout after failed attempts
1. Try wrong password 10 times
2. Expected: Account locked
TC — JWT validation
1. Modify JWT payload (don't change signature)
2. Expected: 401 UnauthorizedA08 — Data Integrity Failures
TC — Auto-update signatures verified
1. Trigger update
2. Expected: Signature verification passes
TC — Deserialization doesn't accept untrusted
1. Send malicious serialized data
2. Expected: RejectedA09 — Logging Failures
TC — Failed login is logged
1. Submit wrong password
2. Check logs
3. Expected: Failed login event logged
TC — Privilege escalation is logged
1. Attempt to access admin endpoint as user
2. Check logs
3. Expected: Privilege escalation event loggedA10 — SSRF
TC — Server rejects internal URL fetch
1. POST /upload with URL http://localhost:8080/admin
2. Expected: Rejected
TC — AWS metadata blocked
1. POST /upload with URL http://169.254.169.254/
2. Expected: RejectedOWASP API Security Top 10 (2023)
Test every endpoint that takes an ID — pair this section with our API Testing Interview Questions and Postman API Testing Tutorial.
API1 — Broken Object Level Authorization (BOLA)
The #1 API vulnerability in 2026.
TC — User cannot access other user's object
1. Log in as User A (token_A, id=123)
2. GET /api/users/124 with token_A
3. Expected: 403 ForbiddenAPI2 — Broken Authentication
TC — Missing token rejected
1. GET /api/users without Authorization header
2. Expected: 401 Unauthorized
TC — Expired token rejected
1. Use expired JWT
2. Expected: 401 UnauthorizedAPI3 — Broken Object Property Level Authorization
TC — Cannot set admin role via API
1. PATCH /api/users/123 with {"role": "admin"}
2. Expected: 403 Forbidden or role ignoredAPI4 — Unrestricted Resource Consumption
TC — Rate limiting on API
1. Send 10,000 requests in 1 second
2. Expected: 429 Too Many Requests after threshold
TC — Large payload rejected
1. Send 100MB JSON payload
2. Expected: 413 Payload Too LargeAPI5 — Broken Function Level Authorization
TC — Regular user cannot access admin endpoint
1. Log in as regular user
2. POST /api/admin/users
3. Expected: 403 ForbiddenAPI6 — Unrestricted Sensitive Business Flows
TC — Coupon abuse prevented
1. Apply same coupon code 1,000 times
2. Expected: Rate limited or CAPTCHA after thresholdAPI7 — SSRF
TC — Internal URL fetch rejected
1. POST /api/upload with URL http://internal-service
2. Expected: RejectedAPI8 — Security Misconfiguration
TC — CORS not too permissive
1. Request from external origin
2. Expected: CORS headers restrict origins
TC — Error messages don't leak details
1. Trigger error in production
2. Expected: Generic message, no stack traceAPI9 — Improper Inventory Management
TC — Old API versions disabled
1. Try /api/v1/ (deprecated)
2. Expected: 404 Not Found
TC — Staging not exposed
1. Try /staging/, /dev/, /test/
2. Expected: Not accessibleAPI10 — Unsafe Consumption of APIs
TC — Third-party API responses validated
1. Mock third-party API with malformed response
2. Expected: App rejects or handles gracefullyTools for security testing
SAST (Static Analysis)
| Tool | Free tier |
|---|---|
| SonarQube | Community Edition |
| Semgrep | Yes |
| GitHub Code Scanning | Public repos |
| Snyk Code | Limited |
SCA (Software Composition Analysis)
| Tool | Free tier |
|---|---|
| npm audit | Yes |
| pip-audit | Yes |
| OWASP Dependency-Check | Yes |
| Snyk Open Source | Limited |
DAST (Dynamic Analysis)
| Tool | Free tier |
|---|---|
| OWASP ZAP | Yes (full) |
| Burp Suite Community | Yes |
| StackHawk | Limited |
How to test with OWASP ZAP
Quick scan
docker run -v $(pwd):/zap/wrk:rw \
owasp/zap2docker-stable zap-baseline.py \
-t https://staging.example.com \
-r zap-report.htmlCI/CD integration
- name: OWASP ZAP Scan
uses: zaproxy/action-baseline@v0.7.0
with:
target: 'https://staging.example.com'Plug this into your existing pipeline patterns from our CI/CD Pipeline Testing Tutorial and GitHub Actions for Automation Testing guide.
Security test reporting (CVSS severity)
| Severity | CVSS | Example |
|---|---|---|
| Critical | 9.0–10.0 | RCE, unauth admin |
| High | 7.0–8.9 | BOLA, SQL injection |
| Medium | 4.0–6.9 | XSS reflected |
| Low | 0.1–3.9 | Info disclosure |
| Info | 0.0 | Best practice violation |
For the full security bug report template, see our Security Testing Tutorial.
Common OWASP security testing mistakes
1 — Testing only with automated tools
Automated tools catch 30–50% of issues. Manual testing catches the rest.
2 — Not testing authentication thoroughly
Cover password complexity, account lockout, MFA bypass, JWT validation, and session timeout.
3 — Skipping authorization tests
For every endpoint, test anonymous access, wrong-role access, and right-role access.
4 — Not testing for BOLA
BOLA is the #1 API vulnerability. Walk IDs in URLs: /users/123 → /users/124.
5 — Trusting third-party APIs
Validate third-party API responses. Don't trust them blindly.
6 — Not testing error responses
500 errors shouldn't expose stack traces. 404s shouldn't reveal which resources exist.
7 — Not updating security tests
Threats evolve. Refresh your security test suite quarterly.
8 — Skipping rate limiting tests
Rate-limit logins, API calls, and resource creation to prevent abuse and DoS.
Continue your security testing journey
Frequently asked questions
What is OWASP?
OWASP (Open Worldwide Application Security Project) is a nonprofit foundation that publishes security standards, including the Top 10 lists.
What's the difference between OWASP Top 10 (Web) and OWASP API Top 10?
Web Top 10 covers web application vulnerabilities. API Top 10 covers API-specific vulnerabilities — most notably BOLA.
What's the #1 API vulnerability in 2026?
BOLA (Broken Object Level Authorization) — access other users' objects by changing IDs in URLs.
How do I run security tests in CI/CD?
Use OWASP ZAP for DAST, Snyk or npm audit for SCA, and SonarQube for SAST. All three give comprehensive coverage.
How long does a full security audit take?
1–2 weeks for a comprehensive audit. Ongoing security testing is continuous.
What's the cost of a data breach in 2026?
$4.88 million average per IBM's Cost of a Data Breach Report. Some breaches cost $100M+.
Practice these questions
Run a live QA mock interview tailored to this topic and get per-skill scoring in minutes.
Was this article helpful?
Keep building your QA edge
Pillar guides- AI Mock Interviewpractice these questions with our AI mock interviewLive AI-powered mock interviews with rubric feedback.
- ATS Resume ReviewSoftwareTestPilot's ATS resume checkerFree AI ATS scoring with rewrite suggestions.
- QA Jobs RadarSoftwareTestPilot's QA jobs boardLive QA / SDET / automation job feed, refreshed daily.
Continue reading
Join the QA Community
Connect with fellow testers, share job leads, and get career advice.
Stop Reinventing the Wheel. Upgrade Your QA Arsenal.
Take your testing skills from beginner to Lead Engineer. Supercharge your daily workflow with our premium digital resources.
- ⚡ Ready-to-use testing strategy templates
- 🔥 Advanced API & UI automation guides
- ⏱️ Save 10+ hours a week on test planning


